My WordPress Site Has Been Hacked
Websites can be hacked through lots of methods, but for small business, the WordPress content management system is currently the most likely place. Unfortunately, the popularity and ease of developing WordPress sites, while making it easier and more economical for the micro and small businessman to have a website built, has opened up the door for hackers to have easy access to distribution points for malware and spam. Rather than damage the reputation of their servers and ip addresses, the hackers damage yours. Automated bots run 24/7 worldwide to look for vulnerable points to plant their malicious code. The owners of these sites do not have the know-how to manage WordPress updates or that they even need to apply these updates until they discover their website blacklisted by ISP’s because their website is serving up malware or that their email gets shut down because their server has become a spam relay point.
Why are WordPress sites more vulnerable? Before WordPress, most small business sites were HTML sites. HTML is a simple series of codes that tell the browser what to display and how to display it. For the most part, this simple code is not an entry point for a hacker. WordPress, on the other hand, is a freeware content management system (CMS) with lots of contributed code called plugins. Plugins are free or low-cost add-ons. Furthermore, you have themes which are free or purchased. There can be vulnerabilities in any of these components, unintended (or even intended).
The first rule is to have a secured website hosting account on a secured server. Most small businesses have their websites set up on secured servers that host lots of sites. The best standard to ask about with the server is if the server is PCI Compliant. PCI Compliance is the credit card industry standard for security and required for electronic payments where credit cards are involved. Although lower standards will work, PCI Compliance will ensure that your server is at the latest level as a secured device.
The second rule of not being hacked is for your site not to be the low hanging fruit. This means that you have your site built by a professional who will use the best components, and then have regular WordPress, theme and plugin updates applied (just like you would your Windows computer). Just like your house, any place can be broken into, just do not leave your door unlocked and or home unsecured… keeping your site secured simply causes the hacker to go to the next site to find a better opportunity.
The third rule is to have a plan in case you are hacked. Be on a plan that alerts you or your professional that the site is showing up on a blacklist before your customer or prospect tells you. Part of that service should be to have your site scanned on a daily basis. If your site is compromised, you need a plan or service agreement that will get the problem fixed ASAP. Make sure the plan includes clearing your site from the blacklists if an incident occurs (this may take a few days). Site backups should also, be part of that plan.
In 2012 alone, more than 170,000 WordPress websites were hacked — a number that is likely much higher by now. If you do nothing, it is not a question of whether but when it will be hacked. Make sure that you have seasoned professional build your WordPress site and if you have one already make sure a professional is managing it.